6. Cracking Windows Passwords – C
Okay, so in our last video, we saw how if we change the Sam database to something other than Sam, and the SEC event dot ebt to something other than that, restart the machine underneath some other operating system, it will create those. That’s all fine and well and good, but what if you have 200 people logged on to that machine? I’m quite sure somebody’s going to notice and somebody’s going to complain, which is not something a hacker is going to want to have happen. So the question it begs is, is there a way to be able to create that Sam database anywhere else and then grab the information from there? Well, I’m so glad you guys asked that question because it just so happens that under the Win and T folder, under a folder called Repair, there is a Sam database.
There is a system file, and you’ll need both of these to do what I’m going to show you. Now, I want you to notice also this Sam database file. I can copy it without a problem. Now, the only drawback to this is that this is more than likely the same database file that was created when the system was installed because the date on it is so old. Consequently, it’s not going to contain all those password hashes that I just installed. So we want to try and find a utility that will update this. And if you haven’t guessed already, this repair directory is the staging area for the emergency repair discount. Now, if you are old enough to remember Windows Nt, it gave you the capability to create an emergency repair disk get from the command line with the admin of Windows 2000.
And later, the way that we create an emergency repair disk get is by running the backup utility that comes with Windows. If I open this up, you will see I have an option to create an emergency repair disk. So I’m just going to choose that. It says to insert a formatted blank disk and drive A. Well, I don’t even have a drive A, and I doubt very seriously most people do. So I’m just going to click cancel right here, and I’m going to store this backup media, which I don’t care what it stores to. I’m wanting the byproduct of what happens when it creates this. I’m just going to store this somewhere else, all right? I’m just going to put it right here underneath backup folder.
So I’m going to call this my backup, all right? I’m going to tell it I want to save the system state data that’s the information that’s stored in the emergency repair disk. Then I’m just simply going to start the backup. It’s going to say it created at this time, or place the data on the media with backup. It doesn’t make any difference, really, because like I said, I want the byproduct of what has happened. Now, if I’m going to go over here to the repair directory and you’ll notice there’s no sub directory in here. But in about a minute and 5 seconds it will create an emergency repair directory called Reg Back. This is one way you could tell if you’ve ever created an emergency repair to get on this style of a machine.
So I’m going to pause the video real quick because watching that counter is about as exciting as watching paint dry. And we’ll come right back whenever it’s done. Okay? As you can see it told us it would take about a minute, one Microsoft minute to do it, but it ended up taking about two regular minutes to do it. So the Microsoft minutes and the regular minutes just don’t ever seem to add up, do they? So I’m just going to go ahead and get out of this completely because I don’t even need this anymore and I definitely don’t need the file that it created on the My computer folder. What I’m going is this file right here. It has the Sam database file, it has the system file. So let’s go ahead and grab this.
Okay? So what I ended up having to do was simply create a share out here on the Windows 2000 machine and I put in the Sam and the system file in that share that I created and I went over to my XP attacker machine and I mapped a drive to it. And here I have both of those files in here and you’re going to see that I’m going to need both those files to do a couple of things. So the first thing I’m going to do is I’m going to go ahead and open up a little utility called Kennable. When I bring this in I’m going to come over to a tab called the Cracker tab. Now in the Cracker tab I’m going to click in this area in here and I’ll get it to highlight this plus device. It will say import hashes from a local system.
Well, I don’t want to import it from my Windows XP machine, I want to import it from that same database file. So I’m going to say import hashes from a Sam database. Now I’m going to simply go out to the drive z and grab that same database. Boom. Now the next thing I need to do is I need to put in the boot key or what some other individuals would call the Sys key. What happens to stop people from doing exactly what I’m doing is encrypting the Sam database. It’s encrypted with 128 bit symmetric key. And as we remember from our cryptography session, it’s not just one key, it’s the same key symmetric meaning the same. So if I could figure out where they’ve stored that same key, then I would be able to grab and extract that from it.
It just so happens that I know that it’s stored in this system file. They give you a little utility to do this with. So I’m going to go ahead and cancel this. I’m going to grab this sys key decoder. I’m going to double click on System and there it’s already extracted my sys key. I’m just going to take and copy that. Click on Exit, go back in here and do this a second time. This time when I come in here, I’m going to put in the Sam and I’m just going to paste in that sys key when I click on Next. Looky there. It’s pulled in all of the password hashes, both int and LM hash tells me which ones are empty, which ones are less than eight characters, and so on. So I would be able to use this utility to crack the password hashes or use the other utility to crack. So we’re going to stop right here and move forward in our next video.
7. Cracking Windows Passwords – D
Let’s go ahead and continue our video back on the Win Two K machine. Create a new session. Come out here and I’m going to click on import. All right. Now, when I click on import, rather than clicking on import from a local machine, which I know I can get, I can also do the same thing from a remote machine. If I click on this, it says the import method retrieves the encrypted passwords from networked Windows Nt 2000, 2003 machines or Unix machines running Ssh. Now, I can tell you right now, yes, it does do that. Although anything after Windows Nt service pack Two requires that you only get the password hashes locally. So what does this do? Basically, the way that it handles this, it has you create a remote agent, deploy that remote agent.
That remote agent asks for the password hashes locally and then sends it over here to Loft crack. So it’s just kind of getting around the problem. So back over here, I can also import it from a Sam database file. And I showed you how to do that by using Cane, which is a little bit easier because this doesn’t have an easy way of doing the Sys key. I could run it from a previous version of this or the reason I’m actually going through all these right now is this one, I could, I could obtain it from a PW dump file. So let’s go ahead and see how we would do that. If I go out under my computer, under the C drive, under Lab folders, you’ll see that I have a directory out here called PW dump two.
I’ve installed a little utility on mine. Do a command prompt here and if I type in pwdu dump two and press Enter, you can see all of my password hashes have gone to the screen. Well, that’s not going to help me a whole lot. I’d really like for it to go to a file. So I’m just going to redirect that and I’m going to call this Udme txt. Okay? Now the next thing I’m going to do is I’m going to come out here and import from a PW dump file. I’m going to browse out to where those PW dump files are located and there’s my file, Udemy. So I’m going to just double click on that, click OK? And you can see it imported all of the files or all of the passwords hashes just like I did before.
So I’m showing you a number of different ways to obtain the hashes so you can perform an offline attack. Remember, the difference between an online attack and an offline attack was the online attack. You are actually making requests of the operating system to see if this is the correct password. The offline attack can happen tremendously faster. It’s only as fast as your slowest machine. And I can add graphics processors to ever increase the speed. Using a utility called hashcat inside of Linux and just a whole host of things. People have hash cloud crackers, and you could submit your password hash to them, and if they have it, they’ll charge you usually a pretty nominal fee.
Marty Moxen Spike had one that he had used for a while called Cloud cracker, and I haven’t seen it online lately, so I’m not sure exactly what happened to it. But there’s a number of different utilities that you could just simply submit these password hashes to. If it’s an LM hash, we can pretty much crack it. But if it’s an Nt hash, well, then it may be much more difficult and may need some extra power to be able to crack that. There’s one last thing I want to explain to you on going through. We can also import it from a sniffer. All right, now this one here is saying that I don’t have a driver installed, but that’s okay. I’m just going to explain to you what happens.
You had picked a network adapter here and it would actually sniff the wire to obtain the password hashes as they come across. Now, there’s a couple of things I need to explain to you on that, and so I’m going to pull up a slide real quick and jump over and explain that. As we talked about before, the Land Manager authentication is used by Windows 95, windows 98, windows for work groups, and it uses Des Encryption, the data encryption standard, which is really easy to crack. The NTLM authentication created with Nt 351, it uses both Des and MD four. Version two uses MD Four and MD five, and they really haven’t gone up after that.
Now, the case in point here is when we send a login request, it sends back that challenge or not of random data. We’ve already encrypted our password or hashed our password, I should say here on the user end. So we’re going to take that challenge and use it to encrypt it again. We’re going to take the whole shebang and send it back to the domain controller or the server. Now, the domain controller or the server naturally knows what the challenge is. It’s a symmetric key. It send it out, it knows what it is, it’s able just to strip it off. It then compares that to what it has in its Sam database or in its Nt Dit database, which is the active directory database.
And if it matches, hey, you guessed the right password, come on in, or you guessed the wrong password, you remain locked out. So back at our Windows 2000 machine again, if I click on this session and import from a sniffer, what it’s got to do is it goes out and grabs both the login request and the challenge, as well as the response combination of login and challenge that it encrypted it with. So it needs two pieces to be able to do this. And I want to cover just one more thing. Before we end up this particular video, there’s one more protocol that I need to talk about. The one that I want to talk about is the Kerberos Protocol.
Now, the Kerberos gets its name from the Greek mythology Cerberus, which is the three headed dog that guards the gates of Hades, the Kerberos Protocol. I’m going to kind of walk through each one of the steps. This user down here wants to log on. So the user makes a request for a ticket granting ticket to the authentication server, which is our domain controller. The ticket granting server sends back what’s called a ticket granting ticket. We then, using this ticket granting ticket, make a request for the Kerberos ticket from the ticket granting system. It sends back a Kerberos ticket. We then take the Kerberos ticket and present that to some server that we want a resource from.
So, for example, it might be a file share or perhaps a printer. Now, the diagram here says that it gives us access to the service, but I want to go a little bit deeper, because it really checks back with the key distribution center and says, did you really send out this ticket? Is this ticket really valid? But in reality, it doesn’t check. It just no. And I usually pose this question to my classes and say, how does it know? And please don’t disappoint me. Surely one of them will say that the key distribution server signs that Kerberos ticket. So all it has to do is have a copy of the public key from the distribution center, and if it’s able to decrypt it, it knows it came from that server for.
8. Cracking Windows Passwords – E
So let’s step back over to our Windows two K machine. And what I’m going to do next is underneath session. I’m going to go down to session options. I want you to notice right here that it gives me the auditing options for a dictionary crack. So it’s going to use words that are possibly in a dictionary or a list of words would probably be a more accurate definition. For this we can add to the dictionary list. I’m just going to use the default, the one that’s in here, but I could add the most popular password or something of that nature. It also uses the dictionary brute hybrid crack. And let me explain kind of how this works.
If you think you’re being nice and cute and evasive by putting in a password like Wild Thing and converting the I’s to an exclamation point or converting the ease to a three, converting the A’s to an at sign, you’re probably not being nearly as evasive as you think you are, because that’s one of the functions that it has in here. The dictionary brute hybrid attack basically takes common letter substitutions and substitutes for them. It does take quite a little bit longer to do this, but not quite as long as a brute force attack. It will also prepin or uppend characters at the end of the password.
Let’s say, for example, my password was January, which is not a good password by the way, but let’s just say it was for argument’s sake. If the systems administrator tells me that I cannot reuse my same password for twelve consecutive password changes, I could put in January 1, January 2, January 3, January 4. This would catch it. Now, if I was the type of person where it’s keeping track of the last X number of passwords, it may not allow me to use that. So what I would then do is go through twelve password january 1, January 2, all the way up to twelve, and then it would let me use my password again. Obviously this is defeating the whole purpose of what the system administrator was trying to do.
The precomputed is a list of rainbow tables. So if I click on this and here’s my hash file list of all of my rainbow tables, I could just simply put that in right here. Moreover, I’ve got what’s called a brute force attack and the brute force attack tells us the character set. So in this case right here, it’s going to try just the alphabet and numbers. But I can pick down, I could say alphabet numbers and common symbols. Alphabets numbers and all symbols. If I pick this, this is every key I could have possibly typed on the keyboard. I could also pick the languages because for example, if I come in here underneath custom and I put in this right here, I’m going to zoom in on that and you’ll notice that is not just a capital U it has two dots over it which is known as the German Oomlot.
So even if my character set didn’t allow me, I could use the alternate key and put in characters that perhaps aren’t part of that. So what I’m going to do next is I’m simply going to disable the pre computed list and I’m going to use the numbers and all symbols with this dictionary and I’m going to just simply click OK when I want to start my password attack I’m just simply going to click the Play Vcr type button. Now I want you to notice how quickly it’s already come up with a number of these passwords. The one character password, the two character, the three character, the password that’s in the dictionary it hasn’t found my complex password yet and it has immediately found the password.
I called password one, two, three and I want you to notice it’s gone through all of the dictionary passwords and now it’s trying the brute force. And here is where the current test is located. It estimates that it’s going to take this long eleven days, 20 hours or so and so many minutes to crack all of these. It just is a real good guess at this point. But if I were to use something like hashcat I would have already had all these cracked more than likely. And if I were to use a rainbow table, as long as none of these passwords was longer than 14 characters I would crack all of them as well. So this gives you a really good idea of how the passwords are cracked on a window system.
So what I’m going to do next is I’m just simply downloaded the free trial of Loft Crack version seven. If you recall we were using Loft Crack version five and this one is the newest version that’s out and I’m just simply going to proceed with my trial and we’re going to start a new session. You can see a lot of the same things importing from a Linux bsd solaris Aix or a past WD shadow file importing from PW dump file importing from the Sam system files importing from a local Windows system which is what we’re going to do. And then you can see the things they have for remote over ssh and remote over a Windows system. So let’s just go ahead and pick import from our local asking us to use our logged in credential.
Now as you can imagine, it’s only given us just a couple of these but what I’m going to do is pause the video and I’m going to go ahead and create some more passwords in here like I did on the other one. So I’ve added a couple more user accounts and because this is Server 2012 it’s restricting me to making sure that I put in a strong password which is okay, I guess that’s a good thing in reality. But for showing you what’s going on it makes it a little bit harder to do. Now, I want you to notice that it is showing you the password hashes. We have the NTLM hash which I said most books called it’s just simply an Nt hash. Because remember Microsoft drew the line in the sand at Vista and above.
So by default it will not have the LM passwords. So let’s see what we can do to go ahead and audit this to see if we can go ahead and get okay. And it wasn’t able to crack any of our passwords on that. Let’s try the dictionary next and let’s do a complex one. You can see it’s going through all of these passwords, doing the current guesses and so on. And because I picked the audit by doing the character substitutions and so on, it’s probably going to have a little bit harder time. And it says it is going to take 23 hours to do this. So let’s see if I can just audit. Now you have a little bit better idea why I used the one that was inside of Windows 2000. It just makes for a better demonstration.
It’s not to say this isn’t a great tool right here, but trying to explain each one of the pieces using this would be would just simply make it much more difficult. You can see that you could use it’s exactly the same thing using all versions of Windows because they store their passwords in exactly the same place. You’re just not going have the land manager crutch to fall back on because it’s pretty easy for you to find a password when there are only seven characters forced to upper case. Then after finding that seven characters that were forced to uppercase, you can generally go back and figure out which ones were upper and lowercase and come back and get the Nt password as well.